Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

What happens when your oven is on the Internet? A malicious hacker might be able to set it to broil while you're on vacation, and get it so hot that it could start a fire. Or a prankster might set your alarm to wake you up at 3 a.m. - and what if someone gets access to the wireless security camera over your front door and uses it to gain access to the rest of your home network, and from there to your bank account? Not good. With the 'Internet of Things' you will have many devices to secure, not just a couple of computers and handheld devices. Timothy Lord met Mark Stanislav of Duo Security at BSides Austin 2014, which is where this interview took place.(Here's an alternate link to the video.)

Tim:So
Mark we’re here in Austin at the BSides Security Conference,
and you gave a talk today and you want to help people who work
here in Austin to have a little idea about security with the Internet
of Things. So first of all, as a term what does the Internet of
Things mean, and what are some significant aspects of it?

Mark:Sure.
So Internet of Things really comes down to mostly Internet-enabled
embedded devices; that’s kind of the easiest box to put it in.
So a lot of the devices like IP cameras, thermostat, they are
internet-enabled. Those kinds of devices that we’re all putting
on our networks right now, we consider that the Internet of Things.

Tim:Okay.
Now pervasiveness is one aspect of the Internet of Things, why is
that significant?

Mark:Well,
if we had one internet-enabled device, maybe a computer in our home,
that’s not such a big deal, but when we have 5 or 10 or 12 of
these devices that we’re putting on our network maybe in a
couple of weeks, you have a lot of devices to update, you have lot of
firmwares to consider, you have a lot of possible attack surface that
maybe you didn’t have even a month ago.

Tim:And
when you say attack surface, what are some examples of attack
surfaces that this sort of ubiquitous computing brings in?

Mark:Sure.
So lot of the devices themselves have open ports that might beon
the Internet if you don’t have perhaps the right network
filtering. Some of these devices have network connections that will
go outbound to the Internet and then allow maybe an attacker to go
through a third-party servicing, connect back into your network. So
there’s just a lot of added exposure to your network that
wouldn’t have been there previously without these devices.

Tim:Now,
you are a security researcher, but you’re obviously not a
malicious black hat hacker who is trying to break people’s
networks and that kills devices for your own pure greed or anything
like that, you mentioned in your talk you believe in coordinated
disclosure, what does that process mean for you in this context?

Mark:Yeah.
So really I think giving vendors an opportunity to fix the issues in
their devices really benefits not only the vendors in terms of
goodwill to the security community knowing that researchers are out
there to help them and do cool projects and find out interesting
things, but also give consumers a chance to have a patch device
before details maybe come out that could impact their security safety
privacy.

Tim:Now
is that complicated by the fact that in this world there are a lot of
things that are going to be coming from vendors that we haven’t
heard of now, but we will hear about in 6 or 12 months. Kickstarter
is one of the things you mentioned, a lot of cool projects are coming
out of there, does that change the equation when it comes to
disclosure?

Mark:It
does, there’s a really wide path of vendors that we have to
talk to now, where before it was Microsoft and Samsung and Belkin,
that’s a few companies that you have to get familiar with, talk
to once, get exposure to them, so they know who you are. We have a
lot of vendors. If you look at the website Postscapes or Wolfram
Alpha actually has a devices page now for Internet of Things, there
are lot of devices out there and almost all the devices you’ve
never heard of the vendor making them.

Tim:Now
on that front too there is complications simply for sheer numbers,
what are some examples, what sort of things do we already see and
what should we expect really coming from crowd funding, from small
cap companies, what are some examples here?

Mark:Sure.
So I think a lot of the system on chips that we’re seeing that
are actually going in Internet of Thing devices, a lot of companies
are coming up, take an Arduino or Raspberry Pi, very cool chipsets,
very easy to deploy and build on. We’re seeing smaller and
smaller scales of those, which actually enable engineers to put those
into small little shells. We are obviously kind of at this early part
of 3D printing. So your ability to manufacture an entire device with
a couple of bucks is becoming a reality and obviously if you have a
really niche product that might be really popular in Kickstarter, you
could actually deploy tens of thousands of those with a successful
crowd-funding campaign and never really know about the actual
security of that product before it goes to market.

Tim:Now
the talk that you gave today, you mentioned some rules that you’d
like to see developers follow, some sort of tips, what are some of
the most important of these? If you are a developer nowadays, you
really have a lot of security things to think about, if you’re
making a device that’s going to control a thermostat or that
might access a bank account because you are swiping a credit card
through it, what are some of the rules that developers should keep in
mind for security?

Mark:Yeah,
even to the extent that we’ve seen, I believe Samsung actually
has an oven that’s mobile enabled that you can change the
temperature and so, it’s not just turning a light switch on and
off as a threat, we actually have a lot of devices that could pose
actual risk to either privacy or life. So simple things like not
embedding secret values into firmware or passwords into a mobile app
binary that you put into the app store, really basic ways of getting
a product to market that is kind of a shortcut to doing things the
right way is one of the biggest areas that people fall over when it
comes to security.

Another
thing is people just still don’t use encryption enough, they
don’t do it from end-to-end encryption, whether it’s from
your device to a server that they own, but also just encrypting
passwords that you might be giving them on the other side of their
service. So a lot of this we’ve seen year-after-year...if
you’re doing web or mobile best practices, ISO standards. This
isn’t anything new but the reality is that we’re putting
a lot of devices online without understanding them nearly as well as
we should. When we build a piece of software deployed on a Windows
machine, all you have to worry about is the software, now we have to
worry about the firmware, the operating system, the architecture of
the chipset, we have to worry about the third-party vendors, there’s
a lot more ways that an attacker could actually break into one of
those devices and potentially compromise them and do bad things.
There’s a lot more at stake as well, again getting back to
ovens that are on the Internet. A lot worse things can happen and if
we talk about security theatre, at the point that you could turn on
an oven, a broiler all day for weeks on end when someone is gone,
that could be a really serious consequence for someone.

Tim:One
of the things you mentioned today is that instead of being 1 or 5 or
10 devices too, we may have 30 or 50 things around your household.

Mark:Absolutely.
I mean the number of devices that you carry in your pocket that are
WiFi-enabled, the number of devices that are meant to have a
third-party service that they connect out through a phone home if you
will, this isn’t going to be one or two or three things, you
might have 10 things per person in a family of five, that’s a
lot of devices connected to the internet whether it’s a proxy
or reverse-proxy, an openport on the internet directly. There
are a lot of things that we have to be cognizant about that are going
to be on our networks, that we aren’t going to know exactly
what they’re doing, they’re a little bit of black boxes
and what does that mean to our kind of risk profile as consumers or
even businesses?

Tim:A
lot of weakest link things too; if they have reverse proxies you
maybe exposing every other device in your network.

Mark:Sure.

Tim:Just
because one thing is broken.

Mark:Breaking
into one service, if they have access directly into your network to
actually manage one of those devices or give you access to manage it
yourself with say a mobile app, the difference between you managing a
device the right way, an attacker breaking in through that proxy and
then connecting through other network devices isn’t much of a
leap.

Tim:Now
you did some research that exposed some holes in IZON cameras. That
doesn’t seem like the very worst thing that could happen. What
are the biggest dangers if you can control, let’s say, all the
devices that are going to be in your house, 2 or 5 or10
years from now?

Mark:So,
I think a lot of it is going to be the kind of accidental exposure.
So, for instance , with the IZON camera, it was just running a Linux.
So you break into a Linux device over the internet and now you have
access to all of the computers on that network, so all the computers
that actually have your tax files, your personal information, your
password lists. So perhaps it’s more of a jump point type
scenario where maybe the device like, obviously compromising a camera
and watching someone isn’t the most – it’s a little
bit disconcerting for any consumer but it’s also not the end of
the world for most cases.

Tim:It’s
not immediately life threatening?

Mark:Sure.
Whereas if I can break into your network and then use that camera as
a point to compromise all of your other systems and now have access
to all your bank accounts and all your personal documents and all of
your photos, that can really change and make a consumer in a position
where things like we see CryptoLocker where attacker breaks in, takes
your files, encrypts them in a way that you can’t decrypt them
and then ransoms them, we could see similar things happen with
Internet of Things where I can break in through an IP camera, get
into your network, steal all your data and then not give it back
unless there’s a ransom. There’s a lot of really
cascading problems here.

Tim:One
of the reasons that you gave a talk is because you actually have some
ideas that aren’t just leaving people with the end-of-the-world
scenario, you actually got some ideas for fixing some of this. Can
you talk a little bit about that?

Mark:Sure.
So, out of security research projects over the last couple of years,
myself and my co-researcher in a lot of ways, Zachlin here, are
looking at doing a website called Build it Securely, so that’s
builditsecure.oi and then we’re actually going to be having
more details about that this coming April. And what we’re
really trying to do is two things, primarily is give resources to
vendors that want to do IoT devices, so that they’re aware of
security risks, the right way to work with security researchers, some
of the things that might affect their device as an engineer or a
product manager or a developer and give them a little bit better of a
sense of what happens when a security researcher reaches out to them
with some problems and how best to approach those issues.

The
second thing is, we’re actually partnering with the service
called Bugcrowd and we’re going to be setting up vendors in the
IoT space, small-commercial kick-started angel-invested-type small
companies that don’t have the money to actually invest in their
own security, don’t have the money to pay for a consultant to
review how they did their information security program and actually
let them go directly with security researchers and have researchers
look at devices, send bugs in, triage them and then actually get
results back from the vendor directly and say, hey, thanks for
submitting these bugs, here is a t-shirt for the time you spent
looking at our device, we appreciate you doing it.

Tim:Now
just besides money, are there other barriers that small companies or
new nascent companies have when it comes to this kind of review?

Mark:Well,
especially in the IoT space, with the ease that we really have right
now with creating a device from a $20 chipset and a shell with 3D
printer, anyone can really be an IoT manufacturer right now which is
great and terrifying at the same time. We’ve obviously seen
security for companies, companies like Linksys and Cisco, they’ve
had some of the same kind of amateur errors, if you will, over the
years for some of their devices and I think it’s a fair
assumption that a lot of these engineers, may know electrical
engineering really well, but may not know information security best
practices, TCP security, password security and what we really need to
do is try to help them get down that road with us, so that when a
researcher does reach out, it’s a good experience, not a bad
one. So what we really need to do is formalize that a little bit more
and I think using Bugcrowd as a kind of a mechanism to do that will
give them a shot.

Tim:Let
me ask you one more question, how often and where should developers
use Telnet when developing an interface?

Mark:If
we kind of do a little bit of a timewarp, 1990 would have been an
okay time. Telnet, however, even though we see this on devices still
today, IZON being an example, Telnet should never be used as any kind
of remote access mechanism for any of these IoT devices and
especially in the IZON case not to upgrade firmware. So, there’s
a lot of best practices and again a lot of these people that are
manufacturing products, they have the best of intentions, they’re
not malicious, they’re not dumb, they just don’t know the
nuances of security.

And
so, I think Build it Securely will be a bridge between the gap of
that lack of knowledge, but also giving them a vehicle to work with
researchers in a creative way and a way that actually lets us kind of
endear ourselves to vendors rather than kind of make it a bad
experience where they might feel either challenged or they might feel
like we’re calling them out. We want to make it about the
research, about the expertise that we can lend to a situation because
we do this because we’re passionate, not necessarily because we
want to make a lot of money and we want to show vendors that we are
here to help them and not just hurt them.

Tim:And
we don’t know now whattomorrowwill
be as obvious as Telnet is now because there are things that will
break.

Mark:Sure.
There’s always going to be things that are going to break.
There’s always going to be – we saw the UPnP flaw a
couple of years ago that affected a ton of internet-enabled devices.
You can’t always forecast those things, but there are a lot of
best practices that we can do right now we know that are good ideas
or bad ideas. And if we can point people in the right direction, I
think that they’re going to pick up on it and if we start
helping the little companies that we can talk directly to the
founders rather than having to go up a chain of command 12-deep, I
think we can make a lot of impact and actually help people that are
coming to market for the first time and have a lot of energy and
passion for what they’re doing. And if we can really bring
security to that mechanism as well, we’re going to have
products that we want to buy on Kickstarter, we want to have them be
secure, we don’t want to waste our money, why not help them get
out the door in the most secure way possible.

why the hell would you connect your house to the internet or any appliance on the Internet anyway. Getting your appliance to work on your computer or a computer so you can control it via 1 pc for various aspect is fine but connect it to the Internet and no matter how secure it is, someone will find a way in. Best security is to NOT connect it on your Internet. Hell pretty simple concept to understand

Why should they be on a network at all? My refrigerator does just fine with a basic thermostat, electrical fusing, a device to pour water into a mold, dump it in a bin when frozen, then stop dumping it when the bin fills up, a switch to turn on the light when the door opens and a fan so it runs without the need to be defrosted. The additional gewgaws don't help with core operation.

Same with a stove or a microwave. For safety's sake, it should only be able to be turned on by someone who is physically present.

Sometimes, there is just no real point in adding a device to the IoT, and the fewer devices that have networks, the fewer attack vectors an attacker will have to operate with.

This doesn't mean that isolated networks are bad... for example a vehicle needs the CANBus. However, if one doesn't need to have that functionality in a toaster, why built it in?

If we have to have a network or bus for statuses, why not a read-only bus, essentially like a serial port with the return line cut so the device can send status messages out, but not have them go back. The basic concept of a data diode. This way, one can tell if their fridge is over temperature, but a blackhat can't log on and turn the fridge off and spoil someone's steak stash.